ENISA develops threat taxonomy for smart cars to promote good cybersecurity practices in the automotive industry

• Attackers can deploy malicious communication units with the objective to spread malware or to disrupt infrastructure communications.
• An attacker can launch a DoS attack to block critical messages and prevent a semi-autonomous vehicle from reacting appropriately to a situation.

The European Union Agency for Cybersecurity (ENISA) has released a new report to promote cybersecurity for connected and semi-automated cars.

The report presents an in-depth analysis of the emerging threats on smart cars along with the recommendations that can enhance the security of such vehicles.

Type of attacks on smart cars

The report released by ENISA has highlighted eleven attack scenarios, six of which have a rating of ‘High’ severity. These ‘High’ severity attack scenarios are:

• Attack by exploiting a vulnerability in a communication stack: This can lead to severe issues such as critical ECU reprogramming and taking control over the Controller Area Network (CAN bus).
• Attack by hacking mobile car application: This can allow an attacker to order a car to drive to a destination not opted by the driver.
• Attack on remote servers to influence car behaviors: The attackers can abuse remote servers to compromise map data or even alter data on traffic conditions.
• Attack by leveraging fake communication units: Attackers can deploy malicious communication units such as Base Transceiver Station (BTS), Wi-Fi router and RSU with the objective to spread malware or to disrupt infrastructure communications.
• An attack that involves rogue firmware: Penetration of Original Equipment Manufacturer back-end server with the aim to initiate malicious firmware updates could lead to devastating results.
• Blocking critical messages at the automation level 4: An attacker can launch a DoS attack to block critical messages and prevent a semi-autonomous vehicle from reacting appropriately to a situation.

Security measures recommended

ENISA has provided some good security measures with an aim to identify the relevant assets, the emerging threats targeting the smart car’s ecosystem This includes polices, organizational practices and technical practices.

• Policies-related security measures cover both security and privacy aspects. They have been classified into four security domains, namely Security by design, privacy by design, Asset management, and Risk & threat management.
• Organizational practices cover several aspects such as relationships with suppliers, employees, training, incident management, etc.
• Technical practices cover several aspects such as software security, cloud security, detection, access control and so on.